Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:check-cves-hint-from-srcpkg-homepage-and-ref-urls into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. check-cves-hint-from-srcpkg-homepage-and-ref-urls
  4. Merge into master
Proposed by Alex Murray
Status: Needs review
Proposed branch: ~alexmurray/ubuntu-cve-tracker:check-cves-hint-from-srcpkg-homepage-and-ref-urls
Merge into: ubuntu-cve-tracker:master
Diff against target: 73 lines (+28/-1)
2 files modified
scripts/check-cves (+24/-1)
scripts/source_map.py (+4/-0)
Reviewer Review Type Date Requested Status
Ubuntu Security Team Pending
Review via email: mp+464163@code.launchpad.net

Description of the change

scripts/check-cves: try match CVE references against package homepages

Parse and store the Homepage field in source_map and then try and match these
URLs against any we see in the references for a CVE to hint that the package is
likely affected.

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

Not sure if the grep-aptavail shell command is a hack or whether we should try and integrate this into source_map and look it up from there - thoughts?

Reply
Revision history for this message
Mark Esler (eslerm) wrote :

This looks great. Cleans up a lot.

Could the homepages_map code be a function?

Reply
Revision history for this message
Alex Murray (alexmurray) wrote :

Reworked this to use source_map instead as suggested in the comment above.

Reply
Revision history for this message
Alex Murray (alexmurray) wrote :

Will require a re-run of ./scripts/gen-source-map-cache to populate the cache (or wait for the next packages-mirror run)

Reply

Unmerged commits

5c6cf4f... by Alex Murray

scripts/check-cves: try match CVE references against package homepages

Parse and store the Homepage field in source_map and then try and match these
URLs against any we see in the references for a CVE to hint that the package is
likely affected.

Signed-off-by: Alex Murray <email address hidden>

Failed
[SUCCEEDED] unit-tests:0 (build)
[FAILED] check-cves:0 (build)
12 of 2 results FirstPreviousNextLast

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/check-cves b/scripts/check-cves
2index be0b713..301b3ef 100755
3--- a/scripts/check-cves
4+++ b/scripts/check-cves
5@@ -83,6 +83,17 @@ common_words = ['an', 'and', 'context', 'file', 'modules', 'the', 'when']
6 allsrcs.difference_update(set(common_words))
7 allsrcs.update(set(cve_lib.package_db.keys()))
8
9+# build list of known homepages for source packages
10+homepages_map = {}
11+for release in list(source.keys()):
12+ for src in source[release]:
13+ try:
14+ homepage = source[release][src]['homepage']
15+ homepages_map.setdefault(src, set())
16+ homepages_map[src].add(homepage)
17+ except KeyError:
18+ pass
19+
20 built_using_map = None
21
22 destdir = "."
23@@ -949,7 +960,6 @@ class CVEHandler(xml.sax.handler.ContentHandler):
24 action = 'unembargo'
25 reason = ""
26 else:
27- words = self.get_software_hints_from_cve_description(self.cve_data[cve]['desc'])
28 # Default to Debian state, if available
29 if self.debian and cve in self.debian and self.debian[cve]['state']:
30 if self.debian[cve]['state'].startswith('NOT-FOR-US:'):
31@@ -968,7 +978,20 @@ class CVEHandler(xml.sax.handler.ContentHandler):
32 action = 'ignore'
33 reason = 'REJECTED'
34 # try based on description
35+ words = self.get_software_hints_from_cve_description(self.cve_data[cve]['desc'])
36 if action == 'skip':
37+ # try and hint if any of the references use a URL that is within
38+ # a known packages Homepage from homepages_map
39+ if 'refs' in self.cve_data[cve]:
40+ for ref in self.cve_data[cve]['refs']:
41+ url = ref[2]
42+ for srcpkg in homepages_map:
43+ for homepage in homepages_map[srcpkg]:
44+ # TODO: do smarter matching than this
45+ if homepage in url:
46+ print(f"Detected {srcpkg} homepage in reference URL: {url}")
47+ action = 'add'
48+ packages.append(srcpkg)
49 # try and hint if the detected product name contains any known
50 # package names - this list also contains aliases and so we want
51 # to transform the aliases back into their known package name
52diff --git a/scripts/source_map.py b/scripts/source_map.py
53index bb5dde3..293281b 100755
54--- a/scripts/source_map.py
55+++ b/scripts/source_map.py
56@@ -269,6 +269,8 @@ def load_sources_collection(item, map, detailed=True):
57 if detailed:
58 if 'Description' in parser.section:
59 map[release][pkg]['description'] = parser.section['Description']
60+ if 'Homepage' in parser.section:
61+ map[release][pkg]['homepage'] = parser.section['Homepage']
62 if not pocket:
63 map[release][pkg]['release_version'] = parser.section['Version']
64 if apt_pkg.version_compare(parser.section['Version'], map[release][pkg]['version']) > 0:
65@@ -288,6 +290,8 @@ def load_packages_collection(item, map):
66 map[release][pkg]['section'] = section
67 if 'Description' in parser.section:
68 map[release][pkg]['description'] = parser.section['Description']
69+ if 'Homepage' in parser.section:
70+ map[release][pkg]['homepage'] = parser.section['Homepage']
71
72 if not pocket:
73 map[release][pkg]['release_version'] = parser.section['Version']

Subscribers

People subscribed via source and target branches